Commentary: What if another widespread Internet outage happens?
Societies have become more reliant on Internet connection for work, play and life, making us more vulnerable to another Fastly outage incident or worse, a cyberattack, say Bryan Tan and Benjamin Ang.
SINGAPORE: If you noticed that your favourite websites were not working on Tuesday (Jun 8) evening, the reason may appear strange at first.
Fastly, a company previously unknown to most people outside the tech industry, apparently made a configuration error in its systems, and as a result, websites and apps that rely on Fastly’s service – including big names like Amazon, Reddit, New York Times, CNN, BBC, PayPal, Spotify, the UK Government – became unavailable to customers.
For a brief moment, we the public were reminded that while we rely on websites for information, transactions, entertainment, and even government services, those websites in turn rely on content delivery network (CDN) providers like Fastly to deliver those services to us.
And there are just a handful of such CDN providers in the world - meaning that the rich content we have become accustomed to is reliant on such CDN providers to keep the Internet as we know it going.
We say “reminded”, because this happened before in July 2020, when Cloudflare, one of the 10 biggest CDN twice the size of Fastly, had a “bad software deployment” and major websites and apps were affected like Amazon, Reddit, Google, Discord, Shopify, SoundCloud, Medium, BuzzFeed, Pinterest, and Dropbox.
We could be confused because in August 2020, another CDN, CenturyLink, suffered a five-hour IP outage which affected Amazon, Twitter, Microsoft (Xbox Live), Cloudflare (again), EA, Blizzard, Steam, Discord, Reddit, Hulu, Duo Security, Imperva, NameCheap, and OpenDNS.
OUR GROWING RELIANCE ON THE INTERNET FOR WORK, LIFE AND PLAY
The difference this time is that our societies have become so much more reliant on the Internet, especially because of the pandemic. Major commerce (such as the world’s largest online retailer by market cap Amazon) and major news sites going down can affect billions of dollars of trade.
Today, even small businesses and hawkers depend on the Internet to take and deliver orders.
The effects can be disruptive to healthcare and travel. Individual users in the UK were apparently unable to book COVID-19 tests online during the outage, and others reported being unable to fill out the passenger locator form required when entering the UK from overseas.
Even without an outage, even the smallest disturbances to Internet access can be painful. If you are a parent of school-going children, you will recall how much the Student Learning Space would slow on the first day of home-based learning phase, as students logged into the system at the same time.
So as we turn back to our social media feeds and hope that this doesn’t happen too often or for too long, we should ask also ourselves if we are prepared to deal with future outages.
Then, as individual customers, businesses, organizations, or policy makers, we need to figure out what to do. Because these outages will happen again.
WHAT HAPPENS IF THE INTERNET GOES DOWN AGAIN?
Looking at the technology required to run the websites and apps that we rely on today, it’s practically a miracle that the Internet stays up as long as it does.
We routinely use this network of billions of phones, computers, smart devices and other electronic devices to transact and to create, access, communicate and transfer text, sound, images, and video almost instantaneously, at a scale unimaginable a decade or two ago.
Instead, even as we benefit from the speed and convenience of online transactions and services, we should ask ourselves if we have made alternative plans if the Internet shuts down.
We need to make allowances for outages, like additional time and expense of getting things done - making transactions, appointments, or applications - the manual way. We need to find out if there even are alternative ways of getting those things done, and demand that businesses and organisations provide them as a backup. We need to see if we can build in redundancy.
For businesses and organisations, some writers have warned against reliance on CDNs as a “single point of failure”. But CDNs are actually more resilient and faster to recover than individual organisations. In fact, Fastly may have actually met its service level commitment - one hour down-time in a year is not unreasonable.
Small businesses don’t even have the luxury of choosing CDNs, because they rely on larger businesses for services like e-commerce shopfronts (Lazada, Shoppee), delivery (Grab), and web services and storage (Amazon).
Organisations instead need scenario planning, and can learn from the cybersecurity sector. One common cybersecurity scenario that businesses practice is website unavailability, because that could have tremendous impact both on share price and publicity.
After a spate of incidents involving organisations such as the UK National Health Service, the government of Georgia and the Romanian sites of Google and Paypal, most large organisations have rehearsed how to quickly recover should their web assets get hijacked.
READ: Commentary: China’s keyboard warriors are not just fighting the world, they fight each other too
This incident reminds us that it doesn’t take a cyberattack or a bunch of tech whiz hackers to make your website unavailable.
MAKING SURE BUSINESS CAN RESUME
Business Continuity Planning (BCP), which outlines procedures and instructions to follow in the event of disasters or disruptions to IT networks, is not the most exciting work to do. But its principles are something every company and worker are familiar with, after a pandemic has damaged best laid plans.
As with COVID-19, in a prolonged outage, BCP could be reason why your business survives. Having alternative service providers and processes to ensure that business operations can still continue is a must-have.
In January 2021, in response to the SolarWinds attacks of late 2020, the Monetary Authority of Singapore updated its technology risk management guidelines and recommended its licensees evaluate the cybersecurity and code handling processes of their respective service providers.
A malware in a IT software provider like SolarWinds exposed tens of thousands of clients and potentially gave hackers access to the data and networks of their partners and customers.
These are sound suggestions and we see wisdom in wider adoption.
For corporates and government services, while digital access to essential services has been efficient and beneficial, they should also provide people with alternative access, in case digital access is not available. Even under normal circumstances without an Internet outage, these alternatives will help those on the other side of the digital divide.
Our businesses, organisations, government, and ourselves, could all be more resilient if we have back-up plans for the most important things we do. This also applies to other critical infrastructure like electricity, water, transport, and telecommunications, because those outages can occur too.
With the relentless push to digitalisation, our reliance on the Internet will only increase in time. We have been lucky so far, with only a few hours of inconvenience until backup systems kick in. The next outage could be bigger, longer, or the result of some form of premeditated cyberattack.
(Can you really tell the difference between a legitimate email offer and a scam? Listen to cybersecurity experts discuss how scammers are getting increasingly sophisticated on CNA's Heart of the Matter podcast.)
A GLOBAL COMMONS, A NEW CRITICAL INFRASTRUCTURE
It would be foolish to assume we can operate in an online environment as if we were in an offline one. In order to thrive in the digital world, we should ask ourselves what skills, practices and habits we ought to develop to address the unique challenges digitalisation brings.
The Internet is critical infrastructure, and has been recognised so under Singapore’s Cybersecurity Act passed in 2018.
Some may be wondering why Singapore has been actively involved, in particular, chairing the United Nations working group on international law in cyberspace since late-2020.
But this incident precisely illustrates how important the Internet is, and why Singapore needs to help promote a rules based international order, to avert cyber conflict that could cause much worse outages.
We also have Singaporeans volunteering their expertise on the Internet Engineering Task Force which oversees the technical developments of the engineering running the Internet. Others spend attending the Internet Governance Forum in which issues on the governance of the Internet are discussed and debated.
The Internet is too important a resource to be someone else’s problem only - we all need to take individual and collective ownership.
Bryan Tan is a technology media and telecommunications partner at international law firm Pinsent Masons. He is co-chair of the Inter-Pacific Bar Association’s TMT committee and a former president of the Singapore chapter of the Internet Society.
Benjamin Ang is Senior Fellow, Cyber and Homeland Defence, at the Centre of Excellence for National Security, RSIS NTU. He is a former president of the Singapore chapter of the Internet Society.